Importing CentOS Errata with Pulp3

I used this method to sync the errata to foreman. However I think there are some issues how foreman processes the errata.

I used this python script to process the errata.xml file.GitHub - vmfarms/generate_updateinfo
then proceeded to make a local repository on the host and synced the repo to foreman. All this works just fine.

The issue however seems to be with how foreman handles that information. CESA_2021__5192 for example. According to foreman there are no hosts that this applies to. While according to spacewalk this errata affects hosts that are registered to foreman.

Package installed currently on the host.
samba-common-4.10.16-15.el7_9.noarch
Package that should contain fix for the security issue.
samba-common-4.10.16-17.el7_9.noarch

So I believe that foreman does not correctly inform the admin about what needs to be updated. AFAIK the packages where the version is lower than what is listed on the updated packages here https://access.redhat.com/errata/RHSA-2021:5192 is affected.

Foreman does see that the package needs to be updated but doesn’t inform that there is some errata to be applied to the host even though the errata is synced to the host.

I’m curious wheter this is an issue with how foreman handles this specific errata file or something else. ATM I have not updated the package yet, but I’m guessing that when the package matches the package version on the errata updated packaged foreman might inform that there is errata that need to be applied. I’m currently using this errata file. https://cefs.steve-meier.de/errata.latest.xml.bz2

Also noticing the same, I have imported errata also from the same steve-meier source into a new repo centos7-errata which is in my Product named Centos7.

I can find the latest polkit errata from centos mailing list [CentOS-announce] CESA-2022:0274 Important CentOS 7 polkit Security Update in the Centos7 → Centos7-errata repo in katello. If I select the errata it shows me I have hosts this is applicable to, and I’m redirected to the content page listing those hosts.

The applicable package is installable on those hosts, but that list of hosts shows no security errata available.

Correction, the following is not accurate:

If I select the errata it shows me I have hosts this is applicable to, and I’m redirected to the content page listing those hosts.

If I click on the errata it shows no hosts are applicable, and no content hosts are listed. If I select packages, click the applicable package, ie polkit from example above, I then see the count of hosts polkit is installed on, and how many are upgradable. Clicking on upgradable redirects to content → with the following query upgradable_rpms=polkit-0.112-26.el7_9.1.x86_64.

So the errata from the centos7-errata repo doesn’t associate with packages in another repo.

Hi @Stevedd
Do you use a content view? In my case, i see the errata in the repo, but it doesn’t present in published versions of ContentView.

On my Foreman server i’ve created a local repo in /var/www/html/pub/centos_errata/7, then using a script i import and inject errata to the local repo
generate_updateinfo.py -s all -t all -v <(bzip2 -dc /tmp/errata.latest.xml.bz2)
/usr/bin/modifyrepo /tmp/updateinfo-7/updateinfo.xml /var/www/html/pub/centos_errata/7/repodata/

In Foreman i’ve added a new repo, synched it to a local repo https://foreman/pub/centos_errata/7/ (here i see all errata), added this new repo to a CV and published.
There are no errata in published version

It appear only in case if i add an errata by an incremental update:
hammer content-view version incremental-update --content-view-version-id NNNN --errata-ids NNNN --organization XXXX

I’m on foreman-3.0.1-1, katello-4.2.1-1

Best regards,

Finally i’ve found a problem:
my ContentView had a filter for one rpm ( qpid-proton-c ), after deleting this filter and publishing a new version of CV, all errata is visible in the CV version and at the host.

The errata in from the repo doesn’t seem to be associated correctly by foreman. For CESA-2022:0274 polkit-0.112-26.el7_9.1.x86_64.rpm seem to be the solution package which has the vulnerability fixed. So the errata should show all hosts that need to upgraded to that package. For example polkit-0.112-11.el7_3.x86_64 which should be shown as a security errata for that packages simply gets registered to a package which need to be upgraded and not showing errata properly.

I’ve created a separate post regarding that issue but so far no solutions have been provided. I don’t know wether the issue lies in xml file, the script that processes it or in how foreman handles errata from local repos. Errata is shown correctly atleast with AlmaLinuxes.

I’m using a locally built CentOS 7 errata repository, attached to a content view, and it seems to be working fine for the CESA mentioned:

As “yum list-sec” shows it:

CESA_2022__0274 Important/Sec. polkit-0.112-26.el7_9.1.x86_64

Well how do you create that repo? I’m wondering if there is some difference on how we create the local repo and that’s the reason why it doesn’t work properly for me.

using this script (https://github.com/vmfarms/generate_updateinfo)

This is how i sync the errata. I’m not using content views but that really shouldn’t affect on how errata is handled in the system

---

#download latest errata
wget -q https://cefs.steve-meier.de/errata.latest.xml.bz2 -e use_proxy=yes -e https_proxy=http://proxy:3128 -O /var/lib/foreman-errata/errata.latest.xml.bz2
/usr/bin/bzip2 -d -f /var/lib/foreman-errata/errata.latest.xml.bz2
#process the errrata
/usr/bin/python /usr/bin/generate_updateinfo.py -s all -t all /var/lib/foreman-errata/errata.latest.xml -d /tmp/ > /dev/null 2>&1
#inject errata to a local repo
modifyrepo /tmp/updateinfo-7/updateinfo.xml /var/www/html/pub/centos7-errata/repodata/ > /dev/null 2>&1
#sync via api

---

Hi John- Can you please explain me on this.

• Ive created a folder on /var/www/html/pub/centos-errata/
• used createrepo /var/www/html/pub/centos-errata/ to create the repodata.
• Executed the commands as per the git (GitHub - vmfarms/generate_updateinfo)

wget -q -N -P/tmp http://cefs.steve-meier.de/errata.latest.xml.bz2

(cd /tmp/ && sha1sum -c <(wget -qO- http://cefs.steve-meier.de/errata.latest.sha1|grep bz2) )

generate_updateinfo.py <(bzip2 -dc /tmp/errata.latest.xml.bz2)

but it throws the below error. Can you help what im i missing here

WARNING:root:Unwanted advisory type: CEEA-2021:4452. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:4473. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:4488. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:4491. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:4498. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:4514. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:4539. Skipping
WARNING:root:Unwanted advisory type: CEEA-2021:5239. Skipping
WARNING:root:Unwanted security advisory severity: CESA-2014:0684. Skipping
WARNING:root:Unwanted security advisory severity: CESA-2014:0687. Skipping
WARNING:root:Unwanted security advisory severity: CESA-2014:0702. Skipping
WARNING:root:Unwanted security advisory severity: CESA-2014:0703. Skipping
WARNING:root:Unwanted security advisory severity: CESA-2014:0790. Skipping
WARNING:root:Unwanted security advisory severity: CESA-2014:0827. Skipping

I’d say you’re not running generate_updateinfo.py appropriately, this is my wrapper script - we’re only interested in CentOS 7 errata:

#!/bin/bash

SCRIPTDIR=$(dirname $0)
TMPDIR="/tmp/generate_updateinfo$$"
REPODIR=/var/www/html/pub/centos-errata

wget -q -N -P$TMPDIR http://cefs.steve-meier.de/errata.latest.xml.bz2

$SCRIPTDIR/generate_updateinfo.py -r 7 -d $TMPDIR -s all -t all <(bzcat $TMPDIR/errata.latest.xml.bz2) &> /dev/null

modifyrepo --remove updateinfo $REPODIR/7/repodata
modifyrepo $TMPDIR/updateinfo-7/updateinfo.xml $REPODIR/7/repodata

rm -fr $TMPDIR

Hi John,

The wrapper was throwing error for open ( brace. hence modified to tiled ` and executed the script.

[root@xxxxx tmp]# cat centoswrapper.sh
#!/bin/bash

SCRIPTDIR=$(dirname $0)
TMPDIR="/tmp/generate_updateinfo$$"
REPODIR=/var/www/html/pub/centos-errata

wget -q -N -P$TMPDIR http://cefs.steve-meier.de/errata.latest.xml.bz2

$SCRIPTDIR/generate_updateinfo.py -r 7 -d $TMPDIR -s all -t all < bzcat $TMPDIR/errata.latest.xml.bz2 &> /dev/null
#$SCRIPTDIR/generate_updateinfo.py -r 7 -d $TMPDIR -s all -t all < (bzcat $TMPDIR/errata.latest.xml.bz2}

modifyrepo --remove updateinfo $REPODIR/7/repodata
modifyrepo $TMPDIR/updateinfo-7/updateinfo.xml $REPODIR/7/repodata

rm -fr $TMPDIR
[root@xxxx tmp]#

Output of the script at the bottom:

<packages>expat-static-2.1.0-15.el7_9.i686.rpm</packages>
<packages>expat-static-2.1.0-15.el7_9.x86_64.rpm</packages>

Steve Meier Free for non-commercial use This software is provided AS IS. There are no guarantees. It might kill your cat. Tue Oct 11 07:13:18 UTC 2022 : File name too long Metadata not found: updateinfo Could not add metadata from file /tmp/generate_updateinfo15360/updateinfo-7/updateinfo.xml: /tmp/generate_updateinfo15360/updateinfo-7/updateinfo.xml not found [root@xxxx tmp]#

This one runs in my test box. Ive already created the repo in Satellite 6.10 GUI as you suggested above. Can you please help on the error

Your change to my script completely changes the meaning of the main line of the script. It needs to stay as it is, and be run by bash.

I believe it executed successfully.

From which location in need to take the “updateinfo.xml” to the run the below command ? Once we run the below command we need to sync from satellite for that repo ?

modifyrepo updateinfo.xml /var/www/html/pub/centos-errata/7/repodata/”

[root@xxx tmp]# ./centoswrapper.sh
Removed:
type = updateinfo
location = repodata/7eb148d95ed29c763744fcfef44d567ff4614b703959d199f67e953384af3a93-updateinfo.xml.gz
checksum = 7eb148d95ed29c763744fcfef44d567ff4614b703959d199f67e953384af3a93
timestamp = 1666346209
open-checksum = 2fda6ec5bf85b713be63073ceaf54631267f269a8ad0505e3f8d3c9f522cd075
Wrote: /var/www/html/pub/centos-errata/7/repodata/repomd.xml
Wrote: /var/www/html/pub/centos-errata/7/repodata/updateinfo.xml.gz
type = updateinfo
location = repodata/7eb148d95ed29c763744fcfef44d567ff4614b703959d199f67e953384af3a93-updateinfo.xml.gz
checksum = 7eb148d95ed29c763744fcfef44d567ff4614b703959d199f67e953384af3a93
timestamp = 1666346532
open-checksum = 2fda6ec5bf85b713be63073ceaf54631267f269a8ad0505e3f8d3c9f522cd075
Wrote: /var/www/html/pub/centos-errata/7/repodata/repomd.xml
[root@xxxx tmp]#

For us it’s just a repo in a product, and that gets synced daily. New CVV publications then take in the new errata.

Our team has created product named “centos” and it has 6 reposiotries. It sync every week and we follow the below steps to update errata info but now we have upgraded to satellite 6.10 the script is not working coz of errata. Ive followed your instruction and created one more repo but im missing something errata info not syncing in. Attached the images.

This “New CVV publications then take in the new errata.” will come only after we run "modifyrepo updateinfo.xml /var/www/html/pub/centos-errata/7/repodata/”. If so from which location i need get the updateinfo.xml file.

Directory: /root/centos_oel_sync/katello-centos-errata-import
Execute the script in below order once moved into above directory.

1. sh download-data.sh
2. bzip2 -d data/com.redhat.rhsa-all.xml
3. mv com.redhat.rhsa-all.xml.out com.redhat.rhsa-all.xml
4. ./centos-errata-redis-loader.py
5. Edit the config.yaml to add one after another repositories
   Finally run this command ./centos-errata-katello-importer.py

Looks like they followed this git “GitHub - nicolas-r/katello-centos-errata-import: Imports CentOS (from http://cefs.steve-meier.de/) errata into Katello”.

It’s in the script

modifyrepo $TMPDIR/updateinfo-7/updateinfo.xml $REPODIR/7/repodata

As in, the updateinfo.xml is generated in a temporary directory, and then inserted into the yum repository.

“modifyrepo ff0894025b701998e85d6081ea06e443bddf2a370c8467ef4e82f9795e75dada-updateinfo.xml.gz /var/www/html/pub/centos-errata/7/repodata/” - it got completed.

Now i synced the repo “CentOS errata 7” i do not see any errata

anything else we need to do. ?

Use my script, or at least attempt to understand what it’s doing?

A .xml.gz file is not the same as a .xml file.

It is pretty simple (how I do it):
create repo dir:

mkdir -p /var/www/html/pub/centos-erratas/7/repodata

Generate and add to repo:

generate_updateinfo.py -s all -t all errata.latest.xml
modifyrepo /tmp/updateinfo-7/updateinfo.xml /var/www/html/pub/centos-erratas/7/repodata

Create errata repo in foreman with url to

 https://<foreman FQDN>/pub/centos-erratas/7/

Use hammer to sync it:

hammer --quiet repository synchronize --id <repo id> --organization <your org>

When working, just add it all to a bash script and run whenever…